MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21bd2c88898f8fea3ba9dddb1c9e3cfb8f279d884099830dbda16acdde273587. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BumbleBee


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21bd2c88898f8fea3ba9dddb1c9e3cfb8f279d884099830dbda16acdde273587
SHA3-384 hash: 93777c849e2c0b29297ec750fb4c9bc498da9a565cfa17084506c54a3281d0408bdf54658851339cc2d54333243fc123
SHA1 hash: 2ee9d9dbca105772c8320ef4bfd437d9bf6664d0
MD5 hash: 69cd7700a687c190dcf824fee2a022b0
humanhash: hawaii-speaker-vegan-virginia
File name:denev3r.dll
Download: download sample
Signature BumbleBee
Create hunting rule
File size:1'639'936 bytes
First seen:2022-06-09 08:24:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b8b516adcb2cc90269071b28f41dc294 (1 x BumbleBee)
ssdeep 24576:RvBfnKEnTu0k6W0gl81c7sLMjB/lvIPNpAErvmrQclIuNmX3EmnQsvlvNs:RFnKgu5Vr7gMjZtCSIuEnEmnQsvdNs
Threatray 2'237 similar samples on MalwareBazaar
TLSH T17375C02AE1DEA588D94F49F699315CAFB76358BF3E483014870D379428A37B4CE44E72
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter pr0xylife
Tags:7rr BUMBLEBEE exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
denev3r.dll
Verdict:
No threats detected
Analysis date:
2022-06-10 00:31:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/54cd6b67-b992-4a2e-9b0b-aaecc52ee5b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BumbleBee
Create hunting rule
Link:
https://www.capesandbox.com/analysis/278130/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Detecting VM
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/62a1ae65816de95910e2c034/reports/cb4412bc-b5b0-45d0-ba23-22102eeb7991/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a89a75c0-e2b7-4804-a247-2062d368ab28
Result
Threat name:
BumbleBee
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1009792
Signature
Contain functionality to detect virtual machines
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Searches for specific processes (likely to inject)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected BumbleBee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 642287 Sample: denev3r.dll Startdate: 09/06/2022 Architecture: WINDOWS Score: 84 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected BumbleBee 2->30 32 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->32 7 loaddll64.exe 1 2->7         started        process3 signatures4 34 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->34 36 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 7->36 38 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->38 40 3 other signatures 7->40 10 cmd.exe 1 7->10         started        12 regsvr32.exe 7->12         started        15 rundll32.exe 7->15         started        process5 signatures6 17 rundll32.exe 10->17         started        42 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->42 44 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 12->44 46 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->46 50 2 other signatures 12->50 48 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->48 process7 signatures8 20 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->20 22 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 17->22 24 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->24 26 3 other signatures 17->26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21bd2c88898f8fea3ba9dddb1c9e3cfb8f279d884099830dbda16acdde273587/
Threat name:
Win64.Trojan.Bumbleloader
Create hunting rule
Status:
Malicious
First seen:
2022-06-09 08:25:18 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eg6szcejr6h6uo5j3xnrzhr47ohsphmiicmygdn5ufvm3xrhgwdq._file
Verdict:
malicious
Similar samples:
1c85809c6f53b9f2f688fc1d50659cc6f0a018f36c2e2617d4fbfed0e4839ce5
BumbleBee
a27dfea07887442cd18f7f52d3f28994e9b93631a998fe254a8bc654fad94b4e
BumbleBee
e53559c78dd327bd53cd47635c73d57273c3e0a809c7bee8d3353b3903d7c2ff
BumbleBee
e9b974d8bef3bbad04eb70f84f2102ca39faee208aea618fac76730f7d5d75bf
BumbleBee
ea52c881008e458daee5570c03b89726a0b3a652c26a3ec63002c82ba461e48c
BumbleBee
f3d6cc38e35b0738ac5968f8c15404bbe17a1cc00cd6af03b99942e3d9174c8e
BumbleBee
+ 2'227 additional samples on MalwareBazaar
Result
Malware family:
bumblebee
Create hunting rule
Score:
  10/10
Tags:
family:bumblebee botnet:7rr evasion trojan
Link:
https://tria.ge/reports/220609-kbamjshaa4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Checks BIOS information in registry
Identifies Wine through registry keys
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
BumbleBee
Malware Config
C2 Extraction:
103.175.16.107:443
194.135.33.149:443
154.56.0.241:443
23.254.201.97:443
45.147.229.101:443
185.62.58.169:443
192.236.249.68:443
193.239.84.254:443
37.120.198.248:443
146.19.173.139:443
46.21.153.145:443
149.255.35.134:443
45.147.229.50:443
212.114.52.46:443
103.175.16.122:443
146.19.253.49:443
68.233.238.105:443
64.44.135.250:443
103.175.16.121:443
64.44.102.6:443
192.119.64.21:443
79.110.52.56:443
192.236.161.191:443
185.156.172.123:443
54.38.136.187:443
63.141.248.253:443
192.236.194.136:443
193.239.84.247:443
154.56.0.221:443
64.44.101.250:443
103.175.16.117:443
146.70.104.250:443
103.175.16.108:443
185.62.58.133:443
194.135.33.148:443
Unpacked files
SH256 hash:
21bd2c88898f8fea3ba9dddb1c9e3cfb8f279d884099830dbda16acdde273587
MD5 hash:
69cd7700a687c190dcf824fee2a022b0
SHA1 hash:
2ee9d9dbca105772c8320ef4bfd437d9bf6664d0
Link:
https://www.unpac.me/results/8de4a413-231b-4adb-9e3c-28cac2f348c9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21bd2c88898f8fea3ba9dddb1c9e3cfb8f279d884099830dbda16acdde273587

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BumbleBeeLoader
Create hunting rule
Author:enzo & kevoreilly
Description:BumbleBee Loader
Rule name:crime_win64_bumbleebee_loader_packed
Create hunting rule
Author:Rony (@r0ny_123)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/278130/

Comments